What this control covers
The user access control requirement is about making sure that only authorised individuals have accounts, that they only have the minimum privileges needed, and that accounts are properly created, reviewed and removed. Cyber Essentials guidance stresses unique user IDs, avoiding shared accounts, and implementing a formal joiners‑movers‑leavers process so that access is granted and revoked in a controlled way.
Separating standard user and administrator accounts is a key expectation, because compromise of an admin account typically leads to far more serious impact. Strong authentication (often including multi‑factor authentication for internet‑facing and administrator access) and periodic review of privileged accounts help limit the damage if a single credential is stolen or a single device is breached.
What assessors expect to see
Assessors expect user access to systems and data to be restricted to only what is required for each user’s role.
This includes:
- Unique user accounts for all users
- Strong password policies enforced
- Administrative privileges limited to specific users
- User accounts removed or disabled promptly when no longer required
- MFA enabled for remote access and cloud administrative access
Access controls should be applied consistently across on-premises and cloud environments.
Common reasons organisations fail
Common failure reasons include:
- Shared user accounts
- Excessive administrative privileges
- Weak or unenforced password policies
- Accounts for former users remaining active
- MFA not enabled where required
In CE+, failures often result from discrepancies between documented access controls and what is observed during testing.
Practical tips for SMEs
- Use role-based access wherever possible
- Review user accounts regularly, especially leavers
- Restrict admin access to a small number of trusted users
- Enforce MFA on all remote access and cloud admin accounts
- Use password managers to support strong, unique passwords
This guidance reflects common assessor interpretations and is intended to support understanding of Cyber Essentials requirements.